EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #08017
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] CSRF
- To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>, "Maher Abdellatif Ahmad Qahwash" <qahwash@kfupm.edu.sa>
- Subject: Re: [EP-tech] CSRF
- From: "Newman D.R." <drn@ecs.soton.ac.uk>
- Date: Thu, 7 Nov 2019 12:13:14 +0000
Hi Maher, This depends if you have just created a new repository/archive or if you have upgraded to 3.4.1 for an existing archive. For the latter you will need to manually copy EPRINTS_PATH/lib/defaultcfg_zero/cfg.d/csrf_protection.pl to you archive (i.e. EPRINTS_PATH/archives/ARCHIVE_NAME/cfg.d/csrf_protection.pl). Otherwise csrf_protection.pl should have automatically added to you archive on creation. Either way it is best you change the csrf_token_salt config variable to something else. Generating a suitable token salt can be done using OpenSSL: openssl rand -base64 8 8 characters should be more than sufficient, as the current time is also used in generating each token. Using the default token salt gives you improved security but is not ideal as a determined hacker could work out valid tokens they could use. Regards David Newman On 07/11/2019 11:54, Maher Abdellatif Ahmad Qahwash via Eprints-tech wrote:
|
- References:
- [EP-tech] export import
- From: Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
- Re: [EP-tech] export import
- From: "Alan.Stiles" <alan.stiles@open.ac.uk>
- [EP-tech] CSRF
- From: Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
- [EP-tech] export import
- Prev by Date: [EP-tech] CSRF
- Next by Date: [EP-tech] wcag 2.0 and EPrints
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):